npm - @ouro.bot/cli - Versions diffs - 0.1.0-alpha.600 → 0.1.0-alpha.602 - Mend

@ouro.bot/cli 0.1.0-alpha.600 → 0.1.0-alpha.602

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/changelog.json +12 -0
package/dist/heart/daemon/process-manager.js +75 -1
package/dist/heart/daemon/sense-manager.js +27 -8
package/dist/heart/mailbox/readers/mail.js +9 -1
package/dist/mailroom/blob-store.js +20 -8
package/dist/mailroom/file-store.js +6 -3
package/package.json +1 -1

package/changelog.json CHANGED Viewed

@@ -1,6 +1,18 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.602",
+      "changes": [
+        "Two-part fix for the 2026-05-11 BlueBubbles wedge that drove the user (Ari) up the wall: Slugger's BB session showed the same user message replayed 76 times, because each death-spiral cycle re-injected the inbound. Root cause was the daemon's HTTP health probe (`createHttpHealthProbe(\"bluebubbles:<agent>\", port)`) GETting the sense's /health endpoint every ~60 s with a 5 s timeout — busy BB sense (e.g. VLM image-describe at 20+ s) timed out, daemon declared 'critical', SIGTERM'd the sense mid-work, respawned, hit the same image, killed again, forever. Part 1: removed the HTTP probe entirely from `listHealthProbes()`. Process supervision (`processManager` child-process exit handler) already catches dead processes; for 'alive but hung' we now rely on the agent's own awareness via `pendingRecoveryCount` / `lastRecoveredAt` in the BB runtime state surfaced into the prompt, plus the agent's new `restart_runtime` tool (from alpha.598 / #723). Part 2: defense-in-depth respawn-loop guard in `processManager.restartAgent` — if anything triggers more than `RESPAWN_GUARD_MAX_RESTARTS = 5` orchestrated restarts in `RESPAWN_GUARD_WINDOW_MS = 10 min`, refuse further restarts (`daemon.agent_respawn_loop_tripped` nerves event, errorReason + fixHint set on the snapshot). Trip self-clears once timestamps age out of the window, and `startAgent` (= `ouro up`) bypasses the guard so the operator can always recover. Even if some other future cause re-introduces a tight respawn loop, the guard bounds it. The 2026-05-11 spiral was ~60 restarts/hr — well above 5/10min, so this would have caught it."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.601",
+      "changes": [
+        "Mailbox tab loading hang: listMailOutbound now downloads blobs in parallel (MESSAGE_LIST_SCAN_CONCURRENCY=32) instead of sequentially, and accepts an optional limit. The Mailbox tab passes limit=50 so the UI no longer blocks on a full-history scan for agents with many outbound records."
+      ]
+    },
     {
       "version": "0.1.0-alpha.600",
       "changes": [

package/dist/heart/daemon/process-manager.js CHANGED Viewed

@@ -33,7 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DaemonProcessManager = void 0;
+exports.DaemonProcessManager = exports.RESPAWN_GUARD_WINDOW_MS = exports.RESPAWN_GUARD_MAX_RESTARTS = void 0;
 const child_process_1 = require("child_process");
 const path = __importStar(require("path"));
 const identity_1 = require("../identity");
@@ -41,6 +41,18 @@ const runtime_1 = require("../../nerves/runtime");
 function startOfHour(ms) {
     return ms - 60 * 60 * 1000;
 }
+/**
+ * Respawn-loop guard: refuse `restartAgent` if we've already orchestrated
+ * RESPAWN_GUARD_MAX_RESTARTS in the past RESPAWN_GUARD_WINDOW_MS.
+ *
+ * Calibrated for the 2026-05-11 BB sense incident: a misconfigured probe
+ * was triggering `restartAgent` every ~60s for hours. Five restarts in
+ * 10 minutes is well above the rate of legitimate operational restarts
+ * (a single human-initiated `ouro down && ouro up` produces one) and well
+ * below the rate of a death spiral (60/hr ⇒ 10/10min).
+ */
+exports.RESPAWN_GUARD_MAX_RESTARTS = 5;
+exports.RESPAWN_GUARD_WINDOW_MS = 10 * 60_000;
 class DaemonProcessManager {
     agents = new Map();
     maxRestartsPerHour;
@@ -149,6 +161,8 @@ class DaemonProcessManager {
                 startAttemptId: 0,
                 restartTimer: null,
                 crashTimestamps: [],
+                orchestratedRestartTimestamps: [],
+                respawnLoopTripped: false,
                 stopRequested: false,
                 cooldownTimer: null,
                 cooldownRetryCount: 0,
@@ -370,6 +384,11 @@ class DaemonProcessManager {
         this.clearRestartTimer(state);
         this.clearCooldownTimer(state);
         state.stopRequested = true;
+        // NOTE: do not touch state.respawnLoopTripped / orchestratedRestartTimestamps
+        // here. restartAgent calls stopAgent internally; clearing the guard here
+        // would reset the window every cycle and defeat the loop-detection. The
+        // guard self-clears when timestamps age out of the window (handled inside
+        // restartAgent at the prune step).
         if (!state.process) {
             state.snapshot.status = "stopped";
             state.snapshot.pid = null;
@@ -396,6 +415,61 @@ class DaemonProcessManager {
     }
     async restartAgent(agent) {
         const state = this.requireAgent(agent);
+        // Respawn-loop guard: prune timestamps outside the window, then check
+        // whether we've already restarted this agent too many times in it.
+        const now = this.now();
+        const windowStart = now - exports.RESPAWN_GUARD_WINDOW_MS;
+        state.orchestratedRestartTimestamps = state.orchestratedRestartTimestamps.filter((ts) => ts >= windowStart);
+        // If the window is now empty, the trip naturally self-clears. That means
+        // after RESPAWN_GUARD_WINDOW_MS of no restart attempts, the daemon is
+        // willing to try again (e.g. for a fresh health probe failure that has
+        // nothing to do with the original loop).
+        if (state.respawnLoopTripped && state.orchestratedRestartTimestamps.length === 0) {
+            state.respawnLoopTripped = false;
+            state.snapshot.errorReason = null;
+            state.snapshot.fixHint = null;
+            (0, runtime_1.emitNervesEvent)({
+                component: "daemon",
+                event: "daemon.agent_respawn_loop_cleared",
+                message: "respawn-loop guard cleared by window-aging",
+                meta: { agent, windowMs: exports.RESPAWN_GUARD_WINDOW_MS },
+            });
+            this.notifySnapshotChange(state.snapshot);
+        }
+        if (state.respawnLoopTripped) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                component: "daemon",
+                event: "daemon.agent_respawn_loop_blocked",
+                message: "refused agent restart — respawn-loop guard tripped; manual intervention required",
+                meta: {
+                    agent,
+                    recentRestartCount: state.orchestratedRestartTimestamps.length,
+                    windowMs: exports.RESPAWN_GUARD_WINDOW_MS,
+                },
+            });
+            return;
+        }
+        if (state.orchestratedRestartTimestamps.length >= exports.RESPAWN_GUARD_MAX_RESTARTS) {
+            state.respawnLoopTripped = true;
+            state.snapshot.errorReason = `respawn loop detected: ${exports.RESPAWN_GUARD_MAX_RESTARTS}+ restarts in ${Math.round(exports.RESPAWN_GUARD_WINDOW_MS / 60_000)}min — refusing further restarts`;
+            state.snapshot.fixHint = "investigate the root cause then run `ouro up` to resume";
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                component: "daemon",
+                event: "daemon.agent_respawn_loop_tripped",
+                message: "respawn-loop guard tripped; further restarts blocked",
+                meta: {
+                    agent,
+                    restartCount: state.orchestratedRestartTimestamps.length,
+                    windowMs: exports.RESPAWN_GUARD_WINDOW_MS,
+                    maxRestarts: exports.RESPAWN_GUARD_MAX_RESTARTS,
+                },
+            });
+            this.notifySnapshotChange(state.snapshot);
+            return;
+        }
+        state.orchestratedRestartTimestamps.push(now);
         if (state.startInFlight && !state.process) {
             const startedAt = state.startAttemptedAtMs;
             /* v8 ignore next -- defensive: startInFlight always records a start timestamp @preserve */

package/dist/heart/daemon/sense-manager.js CHANGED Viewed

@@ -44,7 +44,6 @@ const provider_credentials_1 = require("../provider-credentials");
 const sense_truth_1 = require("../sense-truth");
 const machine_identity_1 = require("../machine-identity");
 const process_manager_1 = require("./process-manager");
-const http_health_probe_1 = require("./http-health-probe");
 const DEFAULT_TEAMS_PORT = 3978;
 const DEFAULT_BLUEBUBBLES_PORT = 18790;
 const DEFAULT_BLUEBUBBLES_WEBHOOK_PATH = "/bluebubbles-webhook";
@@ -631,13 +630,33 @@ class DaemonSenseManager {
             if (!context.senses.bluebubbles.enabled || !context.facts.bluebubbles.configured || !machineRuntimeConfig.ok) {
                 continue;
             }
-            const machinePayload = machineRuntimeConfig.config;
-            const bluebubblesChannel = machinePayload.bluebubblesChannel;
-            const port = numberField(bluebubblesChannel, "port", DEFAULT_BLUEBUBBLES_PORT);
-            probes.push({
-                ...(0, http_health_probe_1.createHttpHealthProbe)(`bluebubbles:${agent}`, port),
-                managedName: `${agent}:bluebubbles`,
-            });
+            // DELIBERATELY no HTTP health probe for BlueBubbles.
+            //
+            // We used to register `createHttpHealthProbe(...)` here, which GETs the
+            // sense's /health endpoint every ~60s with a 5s timeout. On 2026-05-11
+            // that caused a death spiral:
+            //   1. Sense gets busy with real work (e.g. VLM image describe → 20+s)
+            //   2. /health probe times out at 5s
+            //   3. Daemon declares the sense "critical" → SIGTERMs it mid-work
+            //   4. Sense respawns, recovery loop replays the same inbound message
+            //      into the agent's BB session (visible side-effect — slugger saw
+            //      the same user text injected 76 times)
+            //   5. New sense hits the same VLM call, gets killed at 5s, repeat
+            //
+            // The probe was redundant supervision: dead processes are already
+            // recaptured by `processManager`'s child-process exit handler. The
+            // probe specifically caught "alive but hung" cases — but the cost
+            // (killing genuinely-busy processes and replaying messages) far
+            // outweighed the benefit. For "alive but hung" detection we now
+            // rely on the agent's own awareness: BB sense's runtime.json carries
+            // pendingRecoveryCount + lastRecoveredAt, surfaced in the agent
+            // prompt. If recovery has been wedged for too long, the agent can
+            // call `restart_runtime` itself (see alpha.598 / PR #723).
+            //
+            // The respawn-loop guard in processManager is the backstop: even if
+            // something else triggers a tight respawn cycle for any reason, the
+            // guard fires and refuses further restarts after N attempts in M
+            // minutes, so we can never re-enter the 2026-05-11 spiral.
         }
         return probes;
     }

package/dist/heart/mailbox/readers/mail.js CHANGED Viewed

@@ -8,6 +8,10 @@ const reader_1 = require("../../../mailroom/reader");
 const core_1 = require("../../../mailroom/core");
 const MAILBOX_MAIL_LIST_LIMIT = 50;
 const MAILBOX_MAIL_SUMMARY_LIMIT = MAILBOX_MAIL_LIST_LIMIT;
+// Cap the outbound list returned to the UI. The Mailbox tab renders a
+// bounded recent-outbound view; surfacing the entire outbound history is
+// what makes the tab hang on a loading spinner for large mailboxes.
+const MAILBOX_MAIL_OUTBOUND_LIMIT = 50;
 const MAILBOX_MAIL_BODY_LIMIT = 12_000;
 function emptyFolders() {
     return [
@@ -272,7 +276,11 @@ async function readMailView(agentName) {
         const summaries = result.decrypted.map(mailSummary);
         const screener = (await resolved.store.listScreenerCandidates({ agentId: agentName, status: "pending", limit: 100 }))
             .map(screenerCandidate);
-        const outbound = (await resolved.store.listMailOutbound(agentName)).map(outboundRecord);
+        // Cap outbound records returned to the UI. The mailbox tab shows a
+        // bounded recent-outbound view; pulling the entire history blocks the
+        // Mailbox tab on a loading spinner while the blob/file store grinds
+        // through every outbound record the agent has ever written.
+        const outbound = (await resolved.store.listMailOutbound(agentName, { limit: MAILBOX_MAIL_OUTBOUND_LIMIT })).map(outboundRecord);
         await resolved.store.recordAccess({
             agentId: agentName,
             tool: "mailbox_mail_list",

package/dist/mailroom/blob-store.js CHANGED Viewed

@@ -642,24 +642,36 @@ class AzureBlobMailroomStore {
         });
         return record;
     }
-    async listMailOutbound(agentId) {
+    async listMailOutbound(agentId, options = {}) {
         await this.ensureContainer();
-        const records = [];
+        // Stream blob NAMES first (no JSON downloads yet), then fan out the
+        // downloads with bounded concurrency. The previous loop awaited each
+        // download sequentially inside the iterator, which made every Mailbox
+        // tab open scale linearly with the total number of outbound records in
+        // the container — for an agent with many drafts/sent/failed entries,
+        // the UI sat on a loading spinner for minutes (or never finished) while
+        // the daemon ground through O(N) sequential network round-trips.
+        const outboundBlobNames = [];
         for await (const item of this.container.listBlobsFlat({ prefix: "outbound/" })) {
-            const record = await downloadJson(this.container.getBlockBlobClient(item.name), this.blobOperationTimeoutMs);
-            if (record)
-                records.push(record);
+            outboundBlobNames.push(item.name);
         }
-        const filtered = records
+        const downloaded = await mapWithConcurrency(outboundBlobNames, MESSAGE_LIST_SCAN_CONCURRENCY, async (name) => {
+            return downloadJson(this.container.getBlockBlobClient(name), this.blobOperationTimeoutMs);
+        });
+        const filtered = downloaded
+            .filter((record) => record !== null)
             .filter((record) => record.agentId === agentId)
             .sort((left, right) => right.updatedAt.localeCompare(left.updatedAt));
+        const limited = typeof options.limit === "number" && options.limit > 0
+            ? filtered.slice(0, options.limit)
+            : filtered;
         (0, runtime_1.emitNervesEvent)({
             component: "senses",
             event: "senses.mail_blob_outbound_records_listed",
             message: "azure blob mail outbound records listed",
-            meta: { agentId, count: filtered.length },
+            meta: { agentId, count: limited.length, scanned: outboundBlobNames.length },
         });
-        return filtered;
+        return limited;
     }
     async recordAccess(entry) {
         await this.ensureContainer();

package/dist/mailroom/file-store.js CHANGED Viewed

@@ -327,20 +327,23 @@ class FileMailroomStore {
         });
         return record;
     }
-    async listMailOutbound(agentId) {
+    async listMailOutbound(agentId, options = {}) {
         const records = fs.readdirSync(this.outboundDir)
             .filter((name) => name.endsWith(".json"))
             .map((name) => readJson(path.join(this.outboundDir, name)))
             .filter((record) => record !== null)
             .filter((record) => record.agentId === agentId)
             .sort((left, right) => right.updatedAt.localeCompare(left.updatedAt));
+        const limited = typeof options.limit === "number" && options.limit > 0
+            ? records.slice(0, options.limit)
+            : records;
         (0, runtime_1.emitNervesEvent)({
             component: "senses",
             event: "senses.mail_outbound_records_listed",
             message: "mail outbound records listed",
-            meta: { agentId, count: records.length },
+            meta: { agentId, count: limited.length, scanned: records.length },
         });
-        return records;
+        return limited;
     }
     async recordAccess(entry) {
         const complete = {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.600",
+  "version": "0.1.0-alpha.602",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",